The DPO Sri Lanka Doesn’t Have Yet — Building a Privacy Profession From Scratch

Here is a maths problem.

Sri Lanka has 25 government ministries. It has 26 licensed commercial and specialised banks. It has over 40 licensed finance companies. It has 5 mobile network operators. It has hundreds of insurance companies, healthcare providers, educational institutions, and large-scale employers. It has thousands of small and medium enterprises that process personal data at scale. Every one of these organisations will need a Data Protection Officer under the PDPA.

In October 2025, CICRA Campus — one of the country’s leading professional education providers — graduated Sri Lanka’s first batch of students with a formal qualification in data protection. There were a few dozen of them.

A few dozen graduates. Thousands of organisations. The gap is not a shortage. It is a canyon. And inside that canyon is one of the most significant professional opportunities in Sri Lanka’s regulatory history.

What the Act Actually Requires

Section 20 of the PDPA establishes the DPO requirement. The provision creates two categories of organisations that must appoint a Data Protection Officer.

The first category is public authorities. Every government ministry, department, statutory body, and state enterprise that processes personal data must appoint a DPO. This is a mandatory, non-negotiable requirement with no threshold or exemption.

The second category is organisations whose core activities consist of processing operations that, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale — or processing of special categories of data or data relating to criminal convictions and offences on a large scale. Banks, insurance companies, hospitals, telecommunications operators, large employers, educational institutions — the list of organisations that fall into this category is extensive.

The 2025 amendment made a subtle but important change to the DPO’s role. The original Act required the DPO to “ensure” compliance with the PDPA. The amendment changed this to “advise” on compliance. This is not a semantic distinction. It is a fundamental shift in the DPO’s position within the organisation.

“Ensure” implies accountability for compliance outcomes. If the DPO’s role is to ensure compliance, then a compliance failure is, in some sense, a DPO failure. This creates an impossible position: the DPO would be accountable for decisions they do not have the authority to make.

“Advise” implies a different relationship. The DPO advises the organisation on its obligations, monitors compliance, serves as a point of contact for the Authority and for data subjects, and raises concerns — but the ultimate responsibility for compliance rests with the organisation’s management. This aligns with the GDPR model and reflects a more realistic understanding of how organisations actually work.

Section 56 of the amended Act also clarifies the third-party DPO definition. An organisation is not required to appoint an internal DPO. It can engage a third-party individual or organisation to perform the DPO function, provided that individual or organisation meets the qualification requirements and can perform the role effectively. This opens the door to DPO-as-a-service models that could help address the supply shortage.

The Qualification Puzzle

What qualifications does a DPO need? The PDPA does not specify in detail, beyond requiring “expert knowledge of data protection law and practices.” This is both a blessing and a curse. It allows flexibility in how the profession develops, but it creates uncertainty about what “qualified” actually means.

There is no IAPP chapter in Sri Lanka. The International Association of Privacy Professionals — the global standard-setter for privacy certifications — does not have a local presence, and its certifications, while recognised internationally, are not specifically tailored to the Sri Lankan legal framework. The CIPP (Certified Information Privacy Professional), CIPM (Certified Information Privacy Manager), and CIPT (Certified Information Privacy Technologist) certifications provide valuable foundational knowledge, but they focus primarily on US, EU, Canadian, and Asian frameworks. None of them cover the PDPA in depth.

Singapore offers a useful reference point. The Personal Data Protection Commission of Singapore developed a detailed competency framework for Data Protection Officers that specifies the knowledge, skills, and competencies required at different levels. This framework covers legal knowledge, technical understanding, organisational skills, and sector-specific expertise. Sri Lanka could benefit enormously from developing a similar framework — tailored to the PDPA’s specific requirements and the Sri Lankan regulatory context.

In practice, an effective DPO in Sri Lanka will need a combination of competencies that does not map neatly onto any single existing qualification. They will need legal knowledge — not just of the PDPA, but of the sectoral regulatory frameworks discussed in Part 5 of this series. They will need technical understanding — enough to assess data processing systems, evaluate security measures, and understand the risks of automated decision-making. They will need organisational skills — the ability to work across departments, influence without authority, and translate legal requirements into operational processes. And they will need sector-specific expertise — understanding how data flows through their particular industry and where the risks concentrate.

This combination of competencies is rare. It is rare in every jurisdiction. In Sri Lanka, where formal data protection education is only just beginning, it is almost nonexistent.

The Third-Party DPO Opportunity

The supply-demand gap creates an obvious market opportunity: third-party DPO services.

The European model provides a template. In the years following GDPR implementation, a thriving market for outsourced DPO services emerged across the EU. Consulting firms, law firms, and specialised privacy practices offered DPO-as-a-service arrangements, allowing organisations that could not recruit a full-time DPO to meet their legal obligations through an external appointment.

The economics in Sri Lanka make this model even more compelling. A qualified, full-time DPO commands a salary of Rs. 300,000 to Rs. 500,000 per month at a major financial institution or large enterprise. That is expensive — and for many mid-sized organisations, it is disproportionate to their actual data protection compliance needs. A mid-sized finance company or a regional hospital does not need a full-time DPO working forty hours a week. It needs expert advice, periodic reviews, incident response support, and a named individual who can liaise with the Authority.

The market dimensions are significant. Consider the numbers: 26 banks, over 40 finance companies, 5 mobile operators, hundreds of insurers and healthcare providers, thousands of organisations that process data at scale. Even if only a fraction of these organisations opt for third-party DPO services, the market is substantial.

A single experienced DPO or a small DPO practice could serve multiple organisations simultaneously, provided there are no conflicts of interest and the DPO can genuinely dedicate sufficient time and attention to each client. The PDPA permits this model through its third-party DPO provisions, and the amendment’s shift from “ensure” to “advise” makes it even more workable — an advisory role is inherently more compatible with a shared-services model than an accountability role.

Building the Profession

A few dozen graduates from CICRA Campus do not make a profession. Building a genuine data protection profession in Sri Lanka will require sustained effort across multiple dimensions.

Training Programmes

CICRA’s programme is a start, but it is not enough. Sri Lanka needs multiple training pathways at multiple levels. Short courses for existing professionals who need to add data protection to their skill set. Diploma programmes for people transitioning into data protection as a career. Continuing professional development for practicing DPOs. Sector-specific training for DPOs in banking, healthcare, telecommunications, and government. And executive-level awareness programmes for boards and senior management who need to understand their data protection obligations without becoming practitioners themselves.

University Curricula

Data protection law should be part of the law curriculum at every university in Sri Lanka. Information privacy should be part of the computer science and information technology curricula. Data governance should be part of the business and management curricula. These are not niche specialisms. They are foundational competencies for any professional who will work with data — which, in the modern economy, means virtually every professional.

A Professional Community

Data protection professionals need a community. They need forums to share knowledge, discuss challenges, develop best practices, and support each other. In mature jurisdictions, professional associations like the IAPP provide this function. Sri Lanka needs its own version — whether as an IAPP chapter, a local professional association, or an informal network that evolves into something more structured over time. The first generation of DPOs in Sri Lanka will be pioneers. Pioneers survive better in communities than in isolation.

Career Pathways

For data protection to become a genuine profession, there must be a visible career pathway. Entry-level positions for recent graduates. Mid-career roles for professionals with experience. Senior positions — Head of Privacy, Chief Privacy Officer — for those who want to make data protection their primary career. And lateral entry points for lawyers, IT professionals, compliance officers, and auditors who want to specialise in data protection. If people cannot see a career in data protection, they will not invest in building the skills.

The Authority’s Role

The Data Protection Authority has a critical role to play in building the profession. It can establish competency frameworks that define what a qualified DPO looks like. It can recognise training programmes that meet its standards. It can provide guidance that helps organisations assess the qualifications of DPO candidates. And it can, through its own hiring and development, demonstrate what a professional data protection career looks like in practice. Every decision the Authority makes about DPO standards sends a signal to the market about what qualifications matter.

The DPO Is Not a Compliance Officer

There is a persistent confusion about the DPO role that needs to be addressed directly. The DPO is not a compliance officer.

A compliance officer is responsible for ensuring that the organisation complies with applicable laws and regulations. The compliance officer designs the compliance programme, implements controls, monitors adherence, and reports on compliance status to management and the board. The compliance officer is part of the management structure. They are accountable for outcomes.

The DPO’s role is advisory, not operational. The DPO advises on obligations, monitors compliance, facilitates DPIAs, cooperates with the Authority, and serves as a contact point for data subjects. But the DPO does not design the compliance programme (they advise on it), does not implement controls (they advise on what controls are needed), and does not make compliance decisions (they advise on what decisions should be made).

This distinction creates an inherent tension. The organisation needs someone who is responsible for getting data protection right. It also needs someone who provides independent advice on data protection. These should not be the same person. The DPO’s independence — their ability to raise concerns without fear of adverse consequences, their freedom from conflicts of interest, their direct reporting line to senior management — depends on them not being responsible for the very outcomes they are advising on.

The GDPR experience is instructive here. In the EU, organisations that conflated the DPO role with the compliance officer role found themselves in trouble. The DPO cannot be penalised for performing their duties. They cannot be dismissed for raising inconvenient concerns. They must be given sufficient resources and access to fulfil their role. These protections only work if the DPO is genuinely independent — not embedded in the compliance function as just another officer.

Sri Lankan organisations will need to resist the temptation to simply rename their existing compliance officer as the DPO. The roles are different. The accountability structures are different. The independence requirements are different. Getting this distinction wrong does not just risk regulatory non-compliance. It undermines the entire purpose of having a DPO in the first place.

The Parallel to the CISO

Twenty years ago, the Chief Information Security Officer was a niche role. Most organisations did not have one. Those that did typically buried the function somewhere within IT, reporting to the CTO or the Head of Infrastructure. Information security was a technical function, managed by technical people, with minimal visibility at the board level.

Today, the CISO is a board-level position at every major financial institution, every large technology company, and every organisation that takes risk management seriously. The role has its own professional certifications, its own career pathway, its own professional community, and its own seat at the leadership table.

That transformation took approximately fifteen years. It was driven by a combination of regulatory requirements (like PCI-DSS and the NIST Cybersecurity Framework), high-profile incidents (data breaches that made headlines and destroyed shareholder value), and a growing recognition that information security was not just a technical problem but a business risk that demanded executive attention.

The Data Protection Officer is at the very beginning of the same journey. Today, the DPO role is unfamiliar, under-resourced, and frequently misunderstood. In fifteen years, it will be as established as the CISO. The regulatory drivers are in place (the PDPA and its sectoral equivalents). The incidents are coming (data breaches, enforcement actions, high-profile complaints). And the recognition that data protection is a business imperative, not just a legal checkbox, is growing.

The maths problem from the beginning of this article has no clean solution. There is no way to produce thousands of qualified DPOs overnight. The gap will persist for years. Some organisations will struggle to find qualified candidates. Some will appoint people who are not adequately prepared. Some will treat the DPO appointment as a box-checking exercise, hiring the cheapest available option and hoping the Authority does not look too closely.

But the gap also creates an extraordinary opportunity. For lawyers who want to specialise. For IT professionals who want to pivot. For compliance officers who want to expand their expertise. For recent graduates who are looking for a career with growth potential and societal impact. For consulting firms that want to build a DPO practice. For training providers who want to develop programmes.

The opportunity is open. The question is who will take it.